🔥 3-day streak
Microsoft Security Operations Analyst86 / 190
Question 86 of 190

During a threat hunt in Microsoft Defender XDR Advanced Hunting, you need to find all instances where a renamed copy of a legitimate signed binary was executed. Attackers commonly rename tools like certutil.exe or rundll32.exe to evade name-based detections. Which DeviceProcessEvents column should you compare against the file name to reliably detect a renamed system binary?

Reviewed for accuracy · Report an issueNext question